A computer implemented method to determine a security configuration for a target virtual machine (vm) in a virtualized computing environment, the method including training a machine learning algorithm to determine a vector of security vulnerabilities for the target vm based on a vector of configuration characteristics for the target vm, the machine learning algorithm being trained using training examples each including a configuration for a training vm and an associated vulnerability vector based on an observed security occurrence at the training vm, wherein each training example further includes an identification of one of set of security configurations for the training vm; selecting at least a subset of the set of security configurations and, for each security configuration in the subset, executing the machine learning algorithm with the vector of configuration characteristics for the target vm and an identification of the security configuration, so as to generate a set of vulnerability vectors including a vulnerability vector for each security configuration in the selected subset; and selecting a security configuration for the target vm based on the set of vulnerability vectors.
|
1. A computer implemented method to determine a security configuration for a target virtual machine (vm) in a virtualized computing environment, the method comprising:
training a machine learning algorithm to determine a vector of security vulnerabilities for the target vm based on a vector of configuration characteristics for the target vm, the machine learning algorithm being trained using training examples, each of the training examples including a configuration for a training vm and an associated vulnerability vector based on an observed security occurrence at the training vm, wherein each of the training examples further includes an identification of one of a set of security configurations for the training vm;
selecting at least a subset of the set of security configurations and, for each security configuration in the selected subset, executing the machine learning algorithm with the vector of configuration characteristics for the target vm and an identification of the security configuration in the selected subset, so as to generate a set of vulnerability vectors including a vulnerability vector for each security configuration in the selected subset applied to the target vm; and
selecting a security configuration for the target vm based on the set of vulnerability vectors.
6. A computer system comprising:
a processor and memory storing computer program code for determining a security configuration for a target virtual machine (vm) in a virtualized computing environment, by:
training a machine learning algorithm to determine a vector of security vulnerabilities for the target vm based on a vector of configuration characteristics for the target vm, the machine learning algorithm being trained using training examples, each of the training examples including a configuration for a training vm and an associated vulnerability vector based on an observed security occurrence at the training vm, wherein each of the training examples further includes an identification of one of a set of security configurations for the training vm;
selecting at least a subset of the set of security configurations and, for each security configuration in the selected subset, executing the machine learning algorithm with the vector of configuration characteristics for the target vm and an identification of the security configuration in the selected subset, so as to generate a set of vulnerability vectors including a vulnerability vector for each security configuration in the selected subset applied to the target vm; and
a security configuration for the target vm based on the set of vulnerability vectors.
7. A non-transitory computer-readable storage medium comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer system to determine a security configuration for a target virtual machine (vm) in a virtualized computing environment by:
training a machine learning algorithm to determine a vector of security vulnerabilities for the target vm based on a vector of configuration characteristics for the target vm, the machine learning algorithm being trained using training examples, each of the training examples including a configuration for a training vm and an associated vulnerability vector based on an observed security occurrence at the training vm, wherein each of the training examples further includes an identification of one of a set of security configurations for the training vm;
selecting at least a subset of the set of security configurations and, for each security configuration in the selected subset, executing the machine learning algorithm with the vector of configuration characteristics for the target vm and an identification of the security configuration in the selected subset, so as to generate a set of vulnerability vectors including a vulnerability vector for each security configuration in the selected subset applied to the target vm; and
selecting a security configuration for the target vm based on the set of vulnerability vectors.
2. The method of
4. The method of
receiving an indication of one or more security threats affecting the target vm, each of the one or more security threats being suitable for identifying one or more vm characteristics rendering a vm susceptible to the one or more security threats; and
wherein the selection of the security configuration is additionally made based on the indication of the one or more security threats by weighting elements in each vulnerability vector of the set of vulnerability vectors based on the one or more vm characteristics identified by the one or more security threats.
5. The method of
|
The present application is a National Phase entry of PCT Application No. PCT/EP2018/077782, filed Oct. 11, 2018, which claims priority from EP Patent Application No. 17200479.8, filed Nov. 7, 2017, each of which is hereby fully incorporated herein by reference.
The present disclosure relates to the selection of a security policy for a virtualized computer system dynamically.
Virtualized computing environments provide for the instantiation and deployment of potentially multiple virtual machines (VMs) as virtual implementations of physical machines. Improving the security of such VMs is an ongoing challenge as security threats continue to develop taking advantage of potential security vulnerabilities in a VM configuration.
Security information and event management (SIEM) products or services track security events from networks and applications. SIEM can be provided as software solutions or network appliances that log the security events and provide visibility and reporting. These can be combined with a Managed Security Service (MSS) by a MSS Provider (MSSP). An MS SP may manage many VMs which involves managing security policies for those machines.
Security policies for a VM defines a security configuration for the machine and specifies how the security of the machine is managed. A security configuration may include configuration characteristics of the VM such as the availability of certain networking resources, the execution of certain applications, the provision of facilities such as encryption of data at rest and/or in transit, the provision of security facilities such as intrusion detection facilities, firewalls, malware and/or virus detection facilities, remediation facilities and the like, a version, level or patch level of one or more components in the VM, operating system (OS) facilities, a frequency of update/patching and other factors as will be apparent to those skilled in the art.
Security configurations are typically fixed or infrequently adapted and so they can easily become out of date and unreflective of current risks or threats to a VM.
Thus, there is a need to provide improvements to the security configuration of VMs.
The present disclosure accordingly provides, in a first aspect, a computer implemented method to determine a security configuration for a target virtual machine (VM) in a virtualized computing environment, the method comprising: training a machine learning algorithm to determine a vector of security vulnerabilities for the target VM based on a vector of configuration characteristics for the target VM, the machine learning algorithm being trained using training examples each including a configuration for a training VM and an associated vulnerability vector based on an observed security occurrence at the training VM, wherein each training example further includes an identification of one of set of security configurations for the training VM; selecting at least a subset of the set of security configurations and, for each security configuration in the subset, executing the machine learning algorithm with the vector of configuration characteristics for the target VM and an identification of the security configuration, so as to generate a set of vulnerability vectors including a vulnerability vector for each security configuration in the selected subset; and selecting a security configuration for the target VM based on the set of vulnerability vectors.
In some embodiments, each vulnerability vector includes an indicator of each of a plurality of security vulnerabilities of a VM.
In some embodiments, each security vulnerability includes a characteristic of a VM.
In some embodiments the method further comprises: receiving an indication of one or more security threats affecting the target VM, each threat being suitable for identifying one or more VM characteristics rendering a VM susceptible to the threat; and the selection of a security configuration is additionally made based on the indication of one or more security threats by weighting elements in each vector of the set of vulnerability vectors based on the VM characteristics identified by the security threats.
In some embodiments, a vector of configuration characteristics includes an indicator of a state of each of a plurality of configuration characteristics for a VM.
The present disclosure accordingly provides, in a second aspect, a computer system including a processor and memory storing computer program code for performing the methods set out above.
The present disclosure accordingly provides, in a third aspect, a computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer to perform the methods set out above.
Embodiments of the present disclosure will now be described, by way of example only, with reference to the accompanying drawings, in which:
A security configuration 216, as an embodiment of a security policy, can include, inter alia: the installation, deinstallation, modification or configuration of one or more resources for the VM including, for example, software, patches, services, security facilities and the like; the deployment of one or more specific security protective measures such as intrusion detection, virus detection, malware detection, network scanning, real-time scanning, network monitoring, network configuration, or other facilities as will be apparent to those skilled in the art; patching, updating, replacement or reconfiguration of operating system, kernel, hypervisor, memory, storage, processor or other resources of the target VM; and other security configuration measures.
In addition to the threat information 206, 208, the security configuration selector 214 is responsive to the risk evaluation based on a determination of a degree of vulnerability of the target VM. The degree of vulnerability is reflected in the VM vulnerability vector 210 as a vector of metrics each corresponding to an indication of an extent of a weakness of the target VM to exploitation. For example, the opening of networking ports introduces a vulnerability to exploitation of those open ports by malicious entities. The nature, number, extent and security of such open ports can be reflected as one or more metrics in the VM vulnerability vector 210 for the target VM. The risk evaluated by the risk evaluator 212 thus constitutes a metric combining a vulnerability of the target VM with matched threats (local and/or global).
The vulnerability vector 210 is determined based on a supervised machine learning algorithm 204 for inferring a function from labelled training data. The machine learning algorithm 204 is trained using training data consisting of training examples each having an input vector and desired output vector. The machine learning algorithm 204 thus analyses the training data to produce an inferred function which can be used for mapping new examples, including an input vector for the target VM to infer an output vector for the target VM. The implementation of such supervised machine learning algorithms is beyond the scope of this specification and will be apparent to those skilled in the art.
In embodiments of the present disclosure, the machine learning algorithm 204 is trained to identify a VM vulnerability vector 210 for a VM based on a vector of configuration characteristics of the VM known as a VM configuration vector 202. The VM configuration vector 202 is a vector of metrics each corresponding to one or more configuration characteristics of a VM. For example, the VM configuration vector 202 can encode a VM configuration state including and/or based on, inter alia: log file data; operating system type, version and/or update; applications, services, features or other components installed in the VM; user information for the VM; geographic location of the VM or hardware used for instantiating, supporting, running or managing the VM; network information pertaining to the VM such as a network topology, network connections and the like; and security features installed in the VM such as intrusion detection, malware detection, antivirus, firewall and the like. Thus, in use, the machine learning algorithm 204 determines a VM vulnerability vector 210 for a VM configuration vector 202, as depicted in
Training the supervised machine learning algorithm 204 is necessary. In particular, the machine learning algorithm 204 is trained to generate a VM vulnerability vector 210 for a VM configuration vector 202 to reflect known or realized security occurrences. A security occurrence includes an attack or other security event that corresponds, at least in part, to the realization of the effect of a security vulnerability existing in a VM having a particular VM configuration. Thus, training examples are required for the machine learning algorithm for which a security occurrence was realized and including a configuration vector 202 for a training VM and a corresponding vulnerability vector 210 in view of the security occurrence. The identification of such training examples is particularly challenging, not least because a large number of training examples is required to provide effective training for the machine learning algorithm 204.
The security occurrence information 406 relates to a security attack or other security event occurring in respect of a training VM and includes time information for identifying a particular configuration in the data lake 402 of the training VM at the time of the security occurrence. Thus, the security occurrence is referable to a VM configuration vector derived based on a timed VM configuration in the data lake. Further, the security occurrence information 406 serves as a basis for defining a VM vulnerability vector 210 for the training VM because the security occurrence information 406 includes sufficient information to populate a VM vulnerability vector. Thus, by way of the security occurrence information 406, the training data labeler 404 generates labelled training examples each as a VM configuration vector 202 from the data lake 402 identified and labeled by a VM vulnerability vector derived from the security occurrence information 406.
The security occurrence information 406 relates directly to discrete VM configurations in the data lake based on the timing of the security occurrence and the temporal indication for each VM configuration, and therefore, to discrete VM configuration vectors 202. Thus there will be many (probably a vast majority) VM configurations derivable from the data lake 402 for which no security occurrence information is available and, therefore, for which no VM vulnerability vector 210 can be determined. For these VM configurations, the training data labeler 404 employs a reverse decay strategy to apply a security occurrence 406 to temporally previous VM configuration vectors 202 for the same VM. That is to say that VM configurations occurring prior to a configuration at which a security occurrence 406 was observed can be presumed to contribute to the vulnerability of the VM at the time of the security occurrence 406. In this regard, such prior VM configurations can be considered to have a “pre-vulnerability”. The distance, temporally, that such a presumption can be applied is configurable such that only configurations occurring temporally prior but temporally “close” (according to a formal definition) to that for which the security occurrence 406 occurred are so labelled. The presumption is appropriate because VM configuration is an evolutionary process such that configuration changes occurring over time are cumulative. Accordingly, a single configuration known to be demonstrably vulnerable by virtue of a security occurrence 406 is reasonably considered to impart at least a degree of vulnerability on temporally previous configurations, at least within a configurable or predetermined temporal window.
Drawing back from this time T temporally, a previous VM configuration occurring at time T-d (some time delta d prior to T), VM1CT-d, is labeled as a training example with a modified form of the VM vulnerability vector for VM1CT applicable at a time, T. In particular, as illustrated in the graph of
Thus, in this way, a number of useful training examples for the machine learning algorithm 204 is increased by interpolating training examples from prior VM configurations based on security occurrence information. Notably, the nature of the security occurrence information 406 can itself lead to a decay or reduction of a degree of vulnerability even for a VM configuration applicable at the time of the occurrence, depending on the type of occurrence. For example, where the occurrence 406 is a confirmed security attack, then no reduction in the degree of vulnerability may apply. However, where the occurrence 406 is one of a number of security events of potentially differing severity, such as a virus detection and removal, a suspicion of intrusion and the like, then the degree of vulnerability reflects in the VM vulnerability vector can be reduced according to predetermined measures or factors so as to emphasize vulnerability of a VM configuration in the event of a confirmed attack and to relatively de-emphasize de-emphasise vulnerability in the event of less significant security events.
The approach of
Insofar as embodiments of the disclosure described are implementable, at least in part, using a software-controlled programmable processing device, such as a microprocessor, digital signal processor or other processing device, data processing apparatus or system, it will be appreciated that a computer program for configuring a programmable device, apparatus or system to implement the foregoing described methods is envisaged as an aspect of the present disclosure. The computer program may be embodied as source code or undergo compilation for implementation on a processing device, apparatus or system or may be embodied as object code, for example.
Suitably, the computer program is stored on a carrier medium in machine or device readable form, for example in solid-state memory, magnetic memory such as disk or tape, optically or magneto-optically readable memory such as compact disk or digital versatile disk etc., and the processing device utilizes the program or a part thereof to configure it for operation. The computer program may be supplied from a remote source embodied in a communications medium such as an electronic signal, radio frequency carrier wave or optical carrier wave. Such carrier media are also envisaged as aspects of the present disclosure.
It will be understood by those skilled in the art that, although the present disclosure has been described in relation to the above described example embodiments, the invention is not limited thereto and that there are many possible variations and modifications which fall within the scope of the invention.
The scope of the present disclosure includes any novel features or combination of features disclosed herein. The applicant hereby gives notice that new claims may be formulated to such features or combination of features during prosecution of this application or of any such further applications derived therefrom. In particular, with reference to the appended claims, features from dependent claims may be combined with those of the independent claims and features from respective independent claims may be combined in any appropriate manner and not merely in the specific combinations enumerated in the claims.
El-Moussa, Fadi, Shackleton, Mark
Patent | Priority | Assignee | Title |
Patent | Priority | Assignee | Title |
10482245, | Aug 16 2016 | British Telecommunications public limited company | Secure configuration in a virtualized computing environment |
10484402, | Aug 16 2016 | British Telecommunications public limited company | Security in virtualized computing environments |
10623419, | Aug 16 2016 | British Telecommunications public limited company | Configuration parameters for virtual machines |
10733295, | Dec 30 2014 | British Telecommunications public limited company | Malware detection in migrated virtual machines |
10747886, | Aug 16 2016 | British Telecommunication public limited company | Attack assessment in a virtualized computing environment |
11423144, | Aug 16 2016 | British Telecommunications public limited company | Mitigating security attacks in virtualized computing environments |
6421719, | May 25 1995 | CONCORD COMMUNICATIONS, INC ; Computer Associates Think, Inc | Method and apparatus for reactive and deliberative configuration management |
9306962, | Jul 25 2013 | Verizon Patent and Licensing Inc | Systems and methods for classifying malicious network events |
20140082730, | |||
20140344926, | |||
20160239330, | |||
20160350539, | |||
20170147816, | |||
20170149807, | |||
20170201490, | |||
20170279826, | |||
20170351860, | |||
20180060575, | |||
20180060581, | |||
20190005246, | |||
20190188392, | |||
WO2017180611, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Oct 11 2018 | British Telecommunications public limited company | (assignment on the face of the patent) | / | |||
Apr 07 2020 | EL-MOUSSA, FADI | British Telecommunications public limited company | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 053466 | /0929 | |
Apr 09 2020 | SHACKLETON, MARK | British Telecommunications public limited company | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 053466 | /0929 |
Date | Maintenance Fee Events |
May 07 2020 | BIG: Entity status set to Undiscounted (note the period is included in the code). |
Date | Maintenance Schedule |
Oct 03 2026 | 4 years fee payment window open |
Apr 03 2027 | 6 months grace period start (w surcharge) |
Oct 03 2027 | patent expiry (for year 4) |
Oct 03 2029 | 2 years to revive unintentionally abandoned end. (for year 4) |
Oct 03 2030 | 8 years fee payment window open |
Apr 03 2031 | 6 months grace period start (w surcharge) |
Oct 03 2031 | patent expiry (for year 8) |
Oct 03 2033 | 2 years to revive unintentionally abandoned end. (for year 8) |
Oct 03 2034 | 12 years fee payment window open |
Apr 03 2035 | 6 months grace period start (w surcharge) |
Oct 03 2035 | patent expiry (for year 12) |
Oct 03 2037 | 2 years to revive unintentionally abandoned end. (for year 12) |